This is a Trojan horse that has the capability to delete all files on the user’s computer and create a major headache for the owner of the computer. The virus originated in November of 2000 and is a WinZip file (which is a special type of software that creates and manages Zip files).

The archive icon that the user sees has been amended to appear as an install package in a bid to fool the victim into executing the file. When the user clicks the icon, two dialog boxes come up.

“The first box informs the user that the self-extracting archive was created by a non-licensed WinZIP-Self-Extractor and it is prohibited to distribute that archive. The second box in the background is the standard WinZip copyright screen with the modified icon. The caption of that dialog box is “Win-Zip Self-Extractor [SIMPSONS.EXE] (What).”

Once the user presses this button, simpsons.bat is activated and the Trojan begins erasing the files in the system starting with the C: drive then progresses into the A: drive, B: drive, and finally the D: drive of the user’s computer.

Computer Associates, Inc. warned users that received the Trojan to not press okay. They then should turn off the computer, reboot it, and delete the self-extracting archive to prevent the virus from attacking their computer.

If the user does press “OK” then the archive extracts Simpsons.bat and Simpsons.bmp from the computer. Simpsons.bat automatically begins erasing all the files and directories on the computer. Simpsons.bmp is a regular Zip archive that contains three non- malicious files; ReadMe.txt, file_id.diz and sample.exe (What). This part is not a bitmap file, despite the type ending.

Simon Perry, Computer Associates’ Vice President of security soutions said, “We’ve seen many attacks recently that have used Microsoft’s VBS language, but we cannot forget that danger is packaged in many other ways — in this case a Trojan Horse. It’s very simple. On the heels of the ILOVEYOU and Stages of Life threats, we cannot stress how important it is for eBusinesses and users to protect their valuable data by using extreme caution before opening any unsolicited file (What).”

Computer Associates’ anti-virus software InoculateIT automatically detects the presence of the Simpsons Trojan horse. InoculateIT is unmatched management and virus protection. InoculateIT is certified by the International Computer Security Association (ICSA) to detect 100% of viruses “in the wild” and ensures a network is protected against potentially damaging and costly virus incidents (What).

The Simpsons Trojan horse virus can be very damaging to the user’s computer. It is capable of erasing all the files, documents, directories, etc. which would be devastating to the user. I could not find the number of people affected by this virus, but I’m sure it had devestating effects.

SOURCES:

• “New Trojan Horse Virus Discovered.” Internet Business News (2000): 1. ProQuest. Web. 3 Apr. 2014.
• “What Is “The Simpsons” Virus?” Animated TV. About.com Animated TV, n.d. Web. 03 Apr. 2014.

So far we have discussed Trojan horse viruses’ characteristics and how to protect your computer from contracting a Trojan horse virus, I’d like to discuss another example of a Trojan horse virus named Beast.

In 2002, Beast was created. It was a Windows-based backdoor Trojan horse, more commonly known in the underground hacking community as a Remote Administration Tool or RAT.

It can affect Windows versions 95 to XP, and was created by Tataye in 2002. It became very popular due to its unique features that used the typical client-server model (where the client would be under operation by the attacker and the server is what would infect the victim).

Beast was one of the first Trojans to feature a reverse connection to its victims; that is once it was established, the hacker was able to completely control the infected computer. It mainly attacked these three sites:

• C:\Windows\msagent\ms****.com (Size ranging from 30KB to 49KB)
• C:\Windows\System32\ms****.com (Size ranging from 30KB to 49KB)
• C:\Windows\dxdgns.dll or C:\Windows\System32\dxdgns.dll (Location dependent on attacker’s choice)

It was using the injection method to inject viruses into specific process, commonly “explorer.exe” (Windows Explorer), “iexplore.exe” (Internet Explorer), or “msnmsgr.exe” (MSN Messenger) to steal information and give control to its author of your computer (K).

With Windows XP, you could remove the three files listed above in safe mode with system restore turned off and then you could disinfect the system.

Beast came in with a built in firewall by passer and had the ability to end anti- virus or firewall processes.

Another feature of Beast was that it had a binder feature that could be used to join two or more files together and then change the icon. Once connected to the victim Beast could manipulate files, terminate or execute services, applications, and processes managers; get access to stored passwords, power options (turn on/off, crash, reboot), and even chat with the client they were attacking (Beast).

Sources:

“Beast (Trojan Horse).” Wikipedia. Wikimedia Foundation, 21 Apr. 2014. Web. 22 Apr. 2014.

K, Rajnish. “Top 10 Most Dangerous Computer Viruses of the Decade Updated 2012.” Tech Twisted Technology Blogging. N.p., 20f Feb. 2012. Web. 22 Apr. 2014.

My final post will discuss a third example of a Trojan horse virus that could infect your computer if you aren’t careful. Most of us would be highly susceptible to this virus due to the fact that we are social media obsessed and are on it 24/7.

Koobface was a Trojan Horse that originally targeted users of the networking websites like Facebook, Skype, Yahoo Messenger and email websites such as Google Mail, Yahoo Mail, and AOL Mail, MySpace, hi5, Bebo, Friendster and Twitter.

Koobface is designed to infect Microsoft Windows and Mac OS X, but also can infect Linux.

This Trojan logs into your Facebook profile, and gains access to your entire friends list. Then it posts links to malicious sites that the vulnerable user clicks on then becomes infected. Once it is contracted, Koobface looks for evidence of social media networks and will then post on the users’ behalf links that install the virus. I believe this is similar to what Siyu discussed in her first post about her friend’s Facebook saying that their mother was in an accident and needed money.

We’ve all seen them. “I can’t believe you did this!” “Didn’t you know they were filming you?” The victim clicks on the link and most times the link asks them to download Adobe Flash Player to play the video BUT it is actually downloading Koobface, and soon they too will be posting these links.

In the later versions the virus has stopped using those websites because they improved their protection against Trojan viruses using techniques like Dustin has suggested.

I found a great video that discusses this Trojan and I suggest you watch How Koobface Works

Sources:  Haley, Craig C. “Koobface – What Is It Really?” ThatsNonsense.com. N.p., n.d. Web. 22 Apr. 2014.